This type of attack involves searching through the logs generated by the CI/CD system for any sensitive information that may have been inadvertently logged, such as passwords, API keys, or other types of credentials.
In a CI/CD system, logs are generated automatically as part of the build and deployment process.
These logs may contain information about the system's configuration, the commands that were executed, and any errors or warnings that were encountered.
In some cases, these logs may also contain sensitive information that was inadvertently included in the command-line arguments, environment variables, or other parts of the system configuration.
ID:T0162
Type:Technique
Tactic:Credential Access
Summary:Passwords in CI/CD logs
State:Draft
Mitigations
ID
TYPE
SUMMARY
DESCRIPTION
M1120
Mitigation
Mitigation Store credentials in vault Sensitive data like credentials and API tokens should not be stored directly in code.
Modern applications talk to many third-party APIs, SaaS solutions and other dependecies. This integration usually requires an API token, username & password credential or other similar variable. Sometimes these sensitive credentials include database host strings or hostnames. All of these credentials should not be stored directly in code. Software engineers often don't understand the consequences of embedding these credentials in code. This is especially true for Javascript applications that run client side as these credentials are often visible by inspecting the Javascript files running in the local browser
M1300
Mitigation
Mitigation Implement log sanitization Implement log sanitization techniques that automatically remove or obfuscate sensitive information from logs, such as passwords, API keys, access tokens, or other types of credentials.
This can prevent sensitive information from being inadvertently logged in the first place.
M1301
Mitigation
Mitigation Implement log sanitization Configure log levels and verbosity to minimize the amount of sensitive information that is logged.
Set appropriate log levels to ensure that only necessary information is logged, and avoid logging sensitive data unless absolutely necessary.
M1302
Mitigation
Mitigation Implement strict access controls for logs Implement strict access controls for logs to ensure that only authorized personnel have access to log files.
Use role-based access controls (RBAC) and least privilege principles to restrict access to logs to only those who need it for their job functions.
M1550
Mitigation
Mitigation Implement strict access control for clouds Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
Mitigation Implement strict access control for clouds Limit access to cloud resources to only authorized users and ensure that proper authentication and authorization mechanisms are in place.
Detections
ID
TYPE
SUMMARY
DESCRIPTION
D1300
Detection
Detection Implement regular log reviews Conduct regular manual reviews of logs to identify any sensitive information that may have been inadvertently logged.
This can involve reviewing log files for patterns or anomalies that may indicate sensitive information, or using search and filtering techniques to identify potential incidents.
D1510
Detection
Detection Implement Intrusion Detection System and anti-malware An intrusion detection system (IDS) is a security tool designed to detect and alert on unauthorized access to a computer system or network.
Implementing intrusion detection systems (IDS) and anti-malware software can help to identify and block malicious activity. IDS is a critical security tool that helps organizations to detect and respond to security incidents in a timely manner. By providing real-time monitoring and analysis of network traffic, IDS can help organizations to stay ahead of potential threats and reduce the risk of a security breach.
D1590
Detection
Detection Implement continuous monitoring and logging of the CI/CD process Continuous monitoring and logging of the CI/CD process can help organizations detect any unusual activities or deviations from the standard workflow.
This can include monitoring the pipeline for unusual resource requests or unauthorized access attempts, as well as analyzing logs for unusual activity that may indicate a potential security breach. By establishing a baseline of normal behavior and regularly comparing it to current activity, organizations can quickly identify and respond to any anomalous behavior. Implementing automated alerts and notifications for suspicious activity can also help security teams respond promptly to potential threats.
AppSec teams are overwhelmed by useless alerts, managing numerous applications with vulnerabilities across various kill-chain stages, making them increasingly susceptible to successful attacks.
